[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
[0766]
[0767]
[0768]
[0769]
[0770]
[0771]
[0772]
[0773]
[0774]
[0775]
[0776]
[0777]
[0778]
[0779]
[0780]
[0781]
[0782]
[0783]
[0784]
[0785]
[0786]
[0787]
[0788]
[0789]
[0790]
[0791]
[0792]
[0793]
[0794]
[0795]
[0796]
[0797]
[0798]
[0799]
[0800]
[0801]
[0802]
[0803]
[0804]
[0805]
[0806]
[0807]
[0808]
[0809]
[0810]
[0811]
[0812]
[0813]
[0814]
[0815]
[0816]
[0817]
[0818]
[0819]
[0820]
[0821]
[0822]
[0823]
[0824]
[0825]
[0826]
[0827]
[0828]
[0829]
[0830]
[0831]
[0832]
[0833]
[0834]
[0835]
[0836]
[0837]
[0838]
[0839]
[0840]
[0841]
[0842]
[0843]
[0844]
[0845]
[0846]
[0847]
[0848]
[0849]
[0850]
[0851]
[0852]
[0853]
[0854]
[0855]
[0856]
[0857]
[0858]
[0859]
[0860]
[0861]
[0862]
[0863]
[0864]
[0865]
[0866]
[0867]
[0868]
[0869]
[0870]
[0871]
[0872]
[0873]
[0874]
[0875]
[0876]
[0877]
[0878]
[0879]
[0880]
[0881]
[0882]
[0883]
[0884]
[0885]
[0886]
[0887]
[0888]
[0889]
[0890]
[0891]
[0892]
[0893]
[0894]
[0895]
[0896]
[0897]
[0898]
[0899]
[0900]
[0901]
[0902]
[0903]
[0904]
[0905]
[0906]
[0907]
[0908]
[0909]
[0910]
[0911]
[0912]
[0913]
[0914]
[0915]
[0916]
[0917]
[0918]
[0919]
[0920]
[0921]
[0922]
[0923]
[0924]
[0925]
[0926]
[0927]
[0928]
[0929]
[0930]
[0931]
[0932]
[0933]
[0934]
[0935]
[0936]
[0937]
[0938]
[0939]
[0940]
[0941]
[0942]
[0943]
[0944]
[0945]
[0946]
[0947]
[0948]
[0949]
[0950]
[0951]
[0952]
[0953]
[0954]
[0955]
[0956]
[0957]
[0958]
[0959]
[0960]
[0961]
[0962]
[0963]
[0964]
[0965]
[0966]
[0967]
[0968]
[0969]
[0970]
[0971]
[0972]
[0973]
[0974]
[0975]
[0976]
[0977]
[0978]
[0979]
[0980]
[0981]
[0982]
[0983]
[0984]
[0985]
[0986]
[0987]
[0988]
[0989]
[0990]
[0991]
[0992]
[0993]
[0994]
[0995]
[0996]
[0997]
[0998]
[0999]
[1000]
[1001]
[1002]
[1003]
[1004]
[1005]
[1006]
[1007]
[1008]
[1009]
[1010]
[1011]
[1012]
[1013]
[1014]
[1015]
[1016]
[1017]
[1018]
[1019]
[1020]
[1021]
[1022]
[1023]
[1024]
[1025]
[1026]
[1027]
[1028]
[1029]
[1030]
[1031]
[1032]
[1033]
[1034]
[1035]
[1036]
[1037]
[1038]
[1039]
[1040]
[1041]
[1042]
[1043]
[1044]
[1045]
[1046]
[1047]
[1048]
[1049]
[1050]
[1051]
[1052]
[1053]
[1054]
[1055]
[1056]
[1057]
[1058]
[1059]
[1060]
[1061]
[1062]
[1063]
[1064]
[1065]
[1066]
[1067]
[1068]
[1069]
[1070]
[1071]
[1072]
[1073]
[1074]
[1075]
[1076]
[1077]
[1078]
[1079]
[1080]
[1081]
[1082]
[1083]
[1084]
[1085]
[1086]
[1087]
[1088]
[1089]
[1090]
[1091]
[1092]
[1093]
[1094]
[1095]
[1096]
[1097]
[1098]
[1099]
[1100]
[1101]
[1102]
[1103]
[1104]
[1105]
[1106]
[1107]
[1108]
[1109]
[1110]
[1111]
[1112]
[1113]
[1114]
[1115]
[1116]
[1117]
[1118]
[1119]
[1120]
[1121]
[1122]
[1123]
[1124]
[1125]
[1126]
[1127]
[1128]
[1129]
[1130]
[1131]
[1132]
[1133]
[1134]
[1135]
[1136]
[1137]
[1138]
[1139]
[1140]
[1141]
[1142]
[1143]
[1144]
[1145]
[1146]
[1147]
[1148]
[1149]
[1150]
[1151]
[1152]
[1153]
[1154]
[1155]
[1156]
[1157]
[1158]
[1159]
[1160]
[1161]
[1162]
[1163]
[1164]
[1165]
[1166]
[1167]
[1168]
[1169]
[1170]
[1171]
[1172]
[1173]
[1174]
[1175]
[1176]
[1177]
[1178]
[1179]
[1180]
[1181]
[1182]
[1183]
[1184]
[1185]
[1186]
[1187]
[1188]
[1189]
[1190]
[1191]
[1192]
[1193]
[1194]
[1195]
[1196]
[1197]
[1198]
[1199]
[1200]
[1201]
[1202]
[1203]
[1204]
[1205]
[1206]
[1207]
[1208]
[1209]
[1210]
[1211]
[1212]
[1213]
[1214]
[1215]
[1216]
[1217]
[1218]
[1219]
[1220]
[1221]
[1222]
[1223]
[1224]
[1225]
[1226]
[1227]
[1228]
[1229]
[1230]
[1231]
[1232]
[1233]
[1234]
[1235]
[1236]
[1237]
[1238]
[1239]
[1240]
[1241]
[1242]
[1243]
[1244]
[1245]
[1246]
[1247]
[1248]
[1249]
[1250]
[1251]
[1252]
[1253]
[1254]
[1255]
[1256]
[1257]
[1258]
[1259]
[1260]
[1261]
[1262]
[1263]
[1264]
[1265]
[1266]
[1267]
[1268]
[1269]
[1270]
[1271]
[1272]
[1273]
[1274]
[1275]
[1276]
[1277]
[1278]
[1279]
[1280]
[1281]
[1282]
[1283]
[1284]
[1285]
[1286]
[1287]
[1288]
[1289]
[1290]
[1291]
[1292]
[1293]
[1294]
[1295]
[1296]
[1297]
[1298]
[1299]
[1300]
[1301]
[1302]
[1303]
[1304]
[1305]
[1306]
[1307]
[1308]
[1309]
[1310]
[1311]
[1312]
[1313]
[1314]
[1315]
[1316]
[1317]
[1318]
[1319]
[1320]
[1321]
[1322]
[1323]
[1324]
[1325]
[1326]
[1327]
[1328]
[1329]
[1330]
[1331]
[1332]
[1333]
[1334]
[1335]
[1336]
[1337]
[1338]
[1339]
[1340]
[1341]
[1342]
[1343]
[1344]
[1345]
[1346]
[1347]
[1348]
[1349]
[1350]
[1351]
[1352]
[1353]
[1354]
[1355]
[1356]
[1357]
[1358]
[1359]
[1360]
[1361]
[1362]
[1363]
[1364]
[1365]
[1366]
[1367]
[1368]
[1369]
[1370]
[1371]
[1372]
[1373]
[1374]
[1375]
[1376]
[1377]
[1378]
[1379]
[1380]
[1381]
[1382]
[1383]
[1384]
[1385]
[1386]
[1387]
[1388]
[1389]
[1390]
[1391]
[1392]
[1393]
[1394]
[1395]
[1396]
[1397]
[1398]
[1399]
[1400]
[1401]
[1402]
[1403]
[1404]
[1405]
[1406]
[1407]
[1408]
[1409]
[1410]
[1411]
[1412]
[1413]
[1414]
[1415]
[1416]
[1417]
[1418]
[1419]
[1420]
[1421]
[1422]
[1423]
[1424]
[1425]
[1426]
[1427]
[1428]
[1429]
[1430]
[1431]
[1432]
[1433]
[1434]
[1435]
[1436]
[1437]
[1438]
[1439]
[1440]
[1441]
[1442]
[1443]
[1444]
[1445]
[1446]
[1447]
[1448]
[1449]
[1450]
[1451]
[1452]
[1453]
[1454]
[1455]
[1456]
[1457]
[1458]
[1459]
[1460]
[1461]
[1462]
[1463]
[1464]
[1465]
[1466]
[1467]
[1468]
[1469]
[1470]
[1471]
[1472]
[1473]
[1474]
[1475]
[1476]
[1477]
[1478]
[1479]
[1480]
[1481]
[1482]
[1483]
[1484]
[1485]
[1486]
[1487]
[1488]
[1489]
[1490]
[1491]
[1492]
[1493]
[1494]
[1495]
[1496]
[1497]
[1498]
[1499]
[1500]
[1501]
[1502]
[1503]
[1504]
[1505]
[1506]
[1507]
[1508]
[1509]
[1510]
[1511]
[1512]
[1513]
[1514]
[1515]
[1516]
[1517]
[1518]
[1519]
[1520]
[1521]
[1522]
[1523]
[1524]
[1525]
[1526]
[1527]
[1528]
[1529]
[1530]
[1531]
[1532]
[1533]
[1534]
[1535]
[1536]
[1537]
[1538]
[1539]
[1540]
[1541]
[1542]
[1543]
[1544]
[1545]
[1546]
[1547]
[1548]
[1549]
[1550]
[1551]
[1552]
[1553]
[1554]
[1555]
[1556]
[1557]
[1558]
[1559]
[1560]
[1561]
[1562]
[1563]
[1564]
[1565]
[1566]
[1567]
[1568]
[1569]
[1570]
[1571]
[1572]
[1573]
[1574]
[1575]
[1576]
[1577]
[1578]
[1579]
[1580]
[1581]
[1582]
[1583]
[1584]
[1585]
[1586]
[1587]
[1588]
[1589]
[1590]
[1591]
[1592]
[1593]
[1594]
[1595]
[1596]
[1597]
[1598]
[1599]
[1600]
[1601]
[1602]
[1603]
[1604]
[1605]
[1606]
[1607]
[1608]
[1609]
[1610]
[1611]
[1612]
[1613]
[1614]
[1615]
/*****************************************************************************/
/*
ProxyTunnel.c
*************
** CAUTION **
*************
THIS MODULE IS TASK-ORIENTED, NOT REQUEST-ORIENTED.
WASD supports the CONNECT method which effectively allows tunnelling of RAW
octets through the proxy server. This facility is most commonly used to allow
secure SSL connections to be established with hosts on the 'other side' of the
proxy server. This basic mechanism is also used by WASD to provide an extended
range of tunnelling services. The term 'RAW' is used here to indicate a raw
8 bit, bidirectional, asynchronous exchange of octets between two entities, as
a protocol family, not necessarily as an application (but can be so).
The mapping SET proxy=tunnel=request=<string> effectively allows requests to be
generated and sent to remote tunnel targets allowing straight-forward mapping
at the remote end. See example 7.
1. [ServiceProxyTunnel] CONNECT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A service with this configuration is used as a target for CONNECT proxying
(usually SSL through a firewall). The client expects an HTTP success (200)
response once the remote connection is established, and HTTP error response if
there is a problem, and once established just relays RAW octets through the
proxy server (classic CONNECT behaviour).
# WASD_CONFIG_SERVICE
[[http://*:8080]]
[ServiceProxy] enabled
[ServiceProxyTunnel] connect
# WASD_CONFIG_MAP
[[*:8080]]
if (request-method:connect)
pass *:443 *:443
endif
pass "403"
This configuration enables CONNECT processing and limits any connect to SSL
tunneling (i.e. port 443 on the remote system).
2. [ServiceProxyTunnel] RAW
~~~~~~~~~~~~~~~~~~~~~~~~~~~
This allows any raw octet client (e.g. telnet) to connect to the port and by
mapping be tunnelled to another host and port to connect to it's service (e.g.
a telnet service). The usual HTTP responses associated with CONNECT processing
are not provided.
# WASD_CONFIG_SERVICE
[[http://*:10023]]
[ServiceProxy] enabled
[ServiceProxyTunnel] raw
# WASD_CONFIG_MAP
[[*:10023]]
if (request-method:connect)
pass *:0 raw://another.host:23
endif
pass "403"
Telnet is used in the example above but the principle equally applies to any
protocol that uses a raw 8 bit, bidirectional, asynchronous exchange of
octets. Another example might be an SMTP service (port 25).
3. RAW via a CHAINED PROXY
~~~~~~~~~~~~~~~~~~~~~~~~~~
This is basically the same as the RAW tunnel described in 2 above except that
it shows a tunnel being established through an up-stream, chained proxy. It
relies of that proxy allowing a CONNECT to the destination host and more
importantly port required for the tunnel. Not all CONNECT proxy will allow
this - it's quite common to restrict CONNECT to port 443. This chained proxy
configuration is also supported for FIREWALL tunnelling.
# WASD_CONFIG_SERVICE
[[http://*:10025]]
[ServiceProxy] enabled
[ServiceProxyTunnel] raw
# WASD_CONFIG_MAP
[[*:10025]]
if (request-method:connect)
pass *:0 raw://another.host:25 proxy=chain=proxy.host:8080
endif
pass "403"
Any error in connecting to the chained proxy, making the request, connecting to
the destination, etc. (i.e. any error at all) is not reported. The network
connection is just dropped. Use WATCH to establish the cause if necessary.
4. [ServiceProxyTunnel] FIREWALL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With this configuration a service expects that the first line of text from the
client contains a host name (or IP address) and optional port (e.g.
"the.host.name" or "the.host.name:23"). This allows a variable destination to
be mapped. The usual HTTP responses associated with CONNECT processing are not
provided.
# WASD_CONFIG_SERVICE
[[http://*:10023]]
[ServiceProxy] enabled
[ServiceProxyTunnel] FIREWALL
# WASD_CONFIG_MAP
[[*:10023]]
if (request-method:connect)
pass *:* raw://*:23
pass * raw://*:23
endif
pass "403"
The pass rules force the supplied domain name (and optional port) to be mapped
to the telnet port (23). Of course the mapping rules could allow the supplied
port to be mapped into the destination if desired.
5. ENCRYPTED TUNNEL
~~~~~~~~~~~~~~~~~~~
Up to this point the tunnels have merely been through the proxy server. It is
possible to establish and maintain ENCRYPTED TUNNELS between WASD servers. SSL
is used for this purpose. This is slightly more complex as both ends of the
tunnel need to be configured.
+------------+ +------------+
<-unencrypted->| WASD proxy |<-ENCRYPTED->| WASD proxy |<-unencrypted->
+------------+ +------------+
This arrangement may be used for any stream-oriented, network protocol between
two WASD systems. As it uses standard CONNECT requests (over SSL) it MAY also
be possible to be configured between WASD and non-WASD servers.
The following example is going to maintain an encrypted tunnel between WASD
servers running on systems KLAATU and GORT. It is designed to allow a user on
KLAATU to connect to a specified port using a telnet client, and have a telnet
session created on GORT, tunnelled between the two systems via an SSL encrypted
connection.
Source of tunnel:
# KLAATU WASD_CONFIG_SERVICE
[[http://*:10023]]
[ServiceProxy] enabled
[ServiceClientSSL] ENABLED
[ServiceProxyTunnel] RAW
# KLAATU WASD_CONFIG_MAP
[[*:10023]]
# if the client is on the local subnet
if (remote-addr:192.168.0.0/24 && request-method:connect)
pass *:0 https://gort.domain:10443 timeout=none,none,none
endif
pass "403"
Destination of tunnel:
# GORT WASD_CONFIG_SERVICE
[[https://*:10443]]
[ServiceProxy] enabled
[ServiceProxyTunnel] CONNECT
# GORT WASD_CONFIG_MAP
[[*:10443]]
# limit the connection to a specific host
if (remote-addr:192.168.0.10 && request-method:connect)
pass *:0 raw://gort.domain:23 timeout=none,none,none
endif
pass "403"
When a client connects to the service provided by port 10023 on system KLAATU
the connection is immediately processed using a pseudo CONNECT request header.
The service on this port is a proxy allowed to initiate SSL connections (client
SSL). This service is mapped to system GORT port 10443, an SSL service that
allows the CONNECT method (tunnelling). KLAATU's proxy initiates an SSL
connection with GORT. When established and the CONNECT request from KLAATU is
received, it is mapped via a raw tunnel (8 bit, etc.) to it's own system port
23 (the telnet service). Telnet is in use at both ends while encrypted by SSL
inbetween! Note the use of network addresses and general fail rules used to
control access to this service, as well as the disabling of timers that might
otherwise shutdown the tunnel.
6. ENCRYPTED TUNNEL WITH AUTHENTICATION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This arrangement is essentially a variation on example 4. It provides a
cryptographic authentication of the originator (source) of the tunnel.
Source of tunnel:
# KLAATU WASD_CONFIG_SERVICE
[[http://*:10023]]
[ServiceProxy] enabled
[ServiceClientSSL] enabled
[ServiceProxyTunnel] RAW
[ServiceClientSSLcert] HT_ROOT:[LOCAL]HTTPD.PEM
# KLAATU WASD_CONFIG_MAP
[[*:10023]]
# if the client is on the local subnet
if (remote-addr:192.168.0.0/24 && request-method:connect)
pass *:0 https://gort.domain:10443 timeout=none,none,none
endif
pass "403"
Destination of tunnel:
# GORT WASD_CONFIG_SERVICE
[[https://*:10443]]
[ServiceProxy] enabled
[ServiceProxyTunnel] CONNECT
[ServiceProxyAuth] ENABLED
# GORT WASD_CONFIG_MAP
[[*:10443]]
# we'll be relying on X509 authentication
if (request-method:connect)
pass *:0 raw://gort.domain:23 timeout=none,none,none
endif
pass "403"
# GORT WASD_CONFIG_AUTH
[[*:10443]]
[X509]
* r+w,param="[VF:OPTIONAL]",~4EAB3CBC735F8C7977EBB41D45737E37
This works by configuring the destination service to insist on proxy
authorization. The authorization realm is X509 which causes the destination to
demand a certificate from the source. The fingerprint of this certificate is
checked against the authorization rule before the connection is a allowed to
procede.
7. RAW via a CHAINED PROXY and ENCRYPTED TUNNEL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is similar to the RAW tunnel described in 2 above except that it shows a
tunnel being established through an up-stream, chained proxy to an SSL service
at the destination.
+------------+ +-------------+ +------------+
<--PT-->| WASD proxy |<--CT-->| chain proxy |<--CT-->| WASD proxy |<--PT-->
+------------+ +-------------+ +------------+
This example shows a TELNET (plaintext, PT) service being transfered encrypted
(ciphertext, CT) between the two WASD servers. The plain-text is private even
to the chained-proxy. This example uses the standard SSL port 443 and relies
on capabilities available with WASD v10.1 and later.
Source of tunnel:
# BARADA WASD_CONFIG_SERVICE
[[http://*:10023]]
[ServiceProxy] enabled
[ServiceProxyTunnel] raw
[ServiceClientSSL] enabled
# BARADA WASD_CONFIG_MAP
[[*:10023]]
if (request-method:connect)
pass *:0 https://nikto.domain:443 proxy=chain=proxy.host:8080 \
proxy=tunnel=request="CONNECT telnet"
endif
pass "403"
Any error in connecting to the chained proxy, making the request, connecting to
the destination, etc. (i.e. any error at all) is not reported. The network
connection is just dropped. Use WATCH to establish the cause if necessary.
Destination of tunnel:
# NIKTO WASD_CONFIG_SERVICE
[[https://*:443]]
# NIKTO WASD_CONFIG_MAP
[[*:443]]
if (request-method:CONNECT && request-uri:TELNET)
pass *:0 raw://nikto.domain:23 timeout=none,none,none
endif
USAGE EXAMPLE 1
---------------
This is a real-world example used to allow a Mail client (in this case Mozilla
mail, aka Thunderbird) to connect securely to an IMAP and an SMTP server (which
don't natively support SSL) via a WASD tunnel.
Thunderbird settings:
IMAP ... Server Settings ... Use Secure Connection (SSL) ... checked
(that's the port 993).
Outgoing Server (SMTP) ... Use Secure Connection ... SSL ... checked
(that's the port 465).
WASD configuration:
# WASD_CONFIG_SERVICE
#
# SSL->IMAP service
[[https://*:993]]
[ServiceProxy] enabled
[ServiceProxyTunnel] RAW
#
# SSL->SMTP service
[[https://*:465]]
[ServiceProxy] enabled
[ServiceProxyTunnel] RAW
# WASD_CONFIG_MAP
#
# SSL->IMAP service
[[*:993]]
if (request-method:connect)
pass *:0 raw://imap.host.name:143
endif
pass "403"
#
# SSL->SMTP service
[[*:465]]
if (request-method:connect)
pass *:0 raw://smtp.host.name:25
endif
pass "403"
VERSION HISTORY
---------------
15-AUG-2020 MGD ProxyTunnelRequestParse() limit -> munge of the request
19-NOV-2019 MGD ProxyTunnelBegin() support for reimplemented SHARE_SSH
02-SEP-2018 MGD ProxyTunnelNetReadAst() "X-Forwarded-For:" from RequestGet()
26-JUL-2018 MGD ProxyTunnelLogicalName() workaround for page pool leakage(?)
05-MAR-2018 MGD ProxyTunnelLogicalName() WASD_TUNNEL_SECONDS
24-JAN-2018 MGD ProxyTunnelLogicalName()
30-MAY-2016 MGD ProxyTunnelRequestParse() append mapped path for logging
11-AUG-2015 MGD restructure of network I/O abstractions
30-NOV-2010 MGD ProxyTunnelNetReadAst() on error proactively close socket
07-SEP-2010 MGD ProxyTunnelNetReadAst() inject a request
ProxyTunnelRebuildRequest() absorb header for tunnel upgrade
11-JAN-2010 JPP bugfix; ProxyTunnelReadAst() data count tx
26-MAY-2007 MGD ProxyTunnel..() provide for SSL client connections
03-SEP-2006 MGD ProxyTunnelChainConnect() and ProxyTunnelChainConnectAst()
to implement raw tunnelling through an intermediate proxy
10-AUG-2004 MGD 'tunnelling' concept generalises CONNECT method
*/
/*****************************************************************************/
#ifdef WASD_VMS_V7
#undef _VMS__V6__SOURCE
#define _VMS__V6__SOURCE
#undef __VMS_VER
#define __VMS_VER 70000000
#undef __CRTL_VER
#define __CRTL_VER 70000000
#endif
/* standard C header files */
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <string.h>
/* VMS related header files */
#include <descrip.h>
#include <dvidef.h>
#include <iodef.h>
#include <lnmdef.h>
#include <psldef.h>
#include <ssdef.h>
#include <stsdef.h>
/* application-related header files */
#include "wasd.h"
#define WASD_MODULE "PROXYTUNNEL"
/******************/
/* global storage */
/******************/
PROXY_ACCOUNTING_STRUCT *ProxyAccountingPtr;
/********************/
/* external storage */
/********************/
extern int HttpdTickSecond;
extern char ErrorSanityCheck[],
SoftwareID[];
extern ulong SysPrvMask[];
extern ACCOUNTING_STRUCT *AccountingPtr;
extern CONFIG_STRUCT Config;
extern MSG_STRUCT Msgs;
extern PROXY_ACCOUNTING_STRUCT *ProxyAccountingPtr;
extern WATCH_STRUCT Watch;
/*****************************************************************************/
/*
************
*** NOTE *** This function takes a pointer to a request!!!
************
HTTP CONNECT method (allows SSL connections through proxy system).
Parse the host name and optional port from the request.
*/
ProxyTunnelRequestParse (REQUEST_STRUCT *rqptr)
{
int in, len, out;
PROXY_TASK *tkptr;
char *cptr, *sptr, *zptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(rqptr), WATCH_MOD_PROXY,
"ProxyTunnelRequestParse() !&Z", rqptr->MappedPathPtr);
/* if these two are different then */
if (strcmp (rqptr->rqHeader.RequestUriPtr, rqptr->MappedPathPtr))
{
/* append the mapped tunnel to the request URI for logging purposes */
len = strlen(rqptr->MappedPathPtr) + rqptr->rqHeader.RequestUriLength + 2;
cptr = rqptr->rqHeader.RequestUriPtr;
sptr = rqptr->rqHeader.RequestUriPtr = VmGetHeap (rqptr, len);
while (*cptr) *sptr++ = *cptr++;
*sptr++ = '-';
*sptr++ = '>';
for (cptr = rqptr->MappedPathPtr; *cptr; *sptr++ = *cptr++);
}
/*******************/
/* WASD tunnelling */
/*******************/
tkptr = rqptr->ProxyTaskPtr;
cptr = rqptr->MappedPathPtr;
/* a pragmatic extension to the usual syntax allowed in CONNECT requests */
if (strsame (cptr, "http://", 7))
{
/* unencrypted octets (expect HTTP response from remote) */
tkptr->ProxyTunnel = PROXY_TUNNEL_HTTP;
cptr += 7;
}
else
if (strsame (cptr, "https://", 8))
{
/* encrypted octets (expect HTTP response from remote) */
tkptr->ProxyTunnel = PROXY_TUNNEL_HTTPS;
cptr += 8;
}
else
if (strsame (cptr, "raw://", 6))
{
/* raw octets (expect NO HTTP response from remote) */
tkptr->ProxyTunnel = PROXY_TUNNEL_RAW;
cptr += 6;
}
else
if (strsame (cptr, "socks5://", 9))
{
/* more raw octets */
tkptr->ProxyTunnel = PROXY_TUNNEL_RAW;
cptr += 9;
}
else
{
/* yet more raw octets, without CONNECT response */
tkptr->ProxyTunnel = PROXY_TUNNEL_CONNECT;
}
/**************/
/* accounting */
/**************/
/* [service-in][proxy-out] (array indices from zero of course!) */
in = rqptr->ServicePtr->ProxyTunnel;
if (in) in--; /* just in case */
out = tkptr->ProxyTunnel - 1;
InstanceMutexLock (INSTANCE_MUTEX_HTTPD);
ProxyAccountingPtr->TunnelCurrent++;
ProxyAccountingPtr->TunnelCount[in][out]++;
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
/*************************/
/* get server host name */
/*************************/
zptr = (sptr = tkptr->RequestHostName) + sizeof(tkptr->RequestHostName)-1;
while (*cptr && *cptr != ':' && *cptr != '/' && sptr < zptr)
*sptr++ = *cptr++;
if (sptr >= zptr || (*cptr && *cptr != ':'))
{
InstanceGblSecIncrLong (&AccountingPtr->RequestErrorCount);
rqptr->rqResponse.HttpStatus = 502;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_REQUEST_FORMAT), FI_LI);
return (STS$K_ERROR);
}
*sptr = '\0';
/******************************/
/* get (optional) server port */
/******************************/
if (*cptr == ':')
{
cptr++;
if (isdigit(*cptr))
{
zptr = (sptr = tkptr->RequestPortString) +
sizeof(tkptr->RequestPortString)-1;
while (*cptr && isdigit(*cptr) && sptr < zptr) *sptr++ = *cptr++;
if (sptr >= zptr)
{
InstanceGblSecIncrLong (&AccountingPtr->RequestErrorCount);
rqptr->rqResponse.HttpStatus = 502;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_REQUEST_FORMAT), FI_LI);
return (STS$K_ERROR);
}
*sptr = '\0';
tkptr->RequestPort = atol (tkptr->RequestPortString);
}
else
{
tkptr->RequestPort = 443;
memcpy (tkptr->RequestPortString, "443", 4);
}
}
else
{
tkptr->RequestPort = 443;
memcpy (tkptr->RequestPortString, "443", 4);
}
/****************************/
/* build host name and port */
/****************************/
zptr = (sptr = tkptr->RequestHostPort) + sizeof(tkptr->RequestHostPort);
for (cptr = tkptr->RequestHostName;
*cptr && sptr < zptr;
*sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = ':';
for (cptr = tkptr->RequestPortString;
*cptr && sptr < zptr;
*sptr++ = *cptr++);
if (sptr >= zptr)
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneralOverflow (rqptr, FI_LI);
return (STS$K_ERROR);
}
*sptr = '\0';
tkptr->RequestHostPortLength = sptr - tkptr->RequestHostPort;
if (WATCHMOD (rqptr, WATCH_MOD_PROXY))
WatchDataFormatted ("!&Z !UL !&Z !&Z\n",
tkptr->RequestHostName,
tkptr->RequestPort, tkptr->RequestPortString,
tkptr->RequestHostPort);
return (SS$_NORMAL);
}
/****************************************************************************/
/*
When explicitly tunnelling using HTTP or HTTPS use the request header line
("CONNECT host:port HTTP/1.1") to rebuild a request header containing the
original host specification provided in that request line but this time with
the proxied remote host in the "Host:" field.
*/
int ProxyTunnelRebuildRequest (PROXY_TASK *tkptr)
{
#define STRCAT(string) \
for (cptr = string; *cptr && sptr < zptr; *sptr++ = *cptr++);
char *cptr, *sptr, *zptr;
REQUEST_STRUCT *rqptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(tkptr), WATCH_MOD_PROXY,
"ProxyTunnelRebuildRequest()");
rqptr = tkptr->RequestPtr;
if (rqptr->rqHeader.UpgradeWASDtunnel)
{
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(tkptr), WATCH_MOD_PROXY,
"Upgrade: WASD-tunnel");
tkptr->RebuiltRequestPtr = "";
tkptr->RebuiltRequestLength = 0;
return (SS$_NORMAL);
}
tkptr->RebuiltRequestPtr = sptr =
VmGetHeap (rqptr, rqptr->rqHeader.RequestHeaderLength + 512);
zptr = sptr + rqptr->rqHeader.RequestHeaderLength + 512;
for (cptr = rqptr->rqHeader.RequestHeaderPtr;
*cptr && NOTEOL(*cptr) && sptr < zptr;
*sptr++ = *cptr++);
STRCAT ("\r\nUser-Agent: ");
STRCAT (SoftwareID);
STRCAT ("\r\nHost: ");
STRCAT (tkptr->ConnectHostPortPtr);
STRCAT ("\r\nX-Forwarded-For: ");
STRCAT (&rqptr->ClientPtr->IpAddressString);
STRCAT ("\r\n\r\n");
if (sptr >= zptr)
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneralOverflow (rqptr, FI_LI);
return (STS$K_ERROR);
}
*sptr = '\0';
tkptr->RebuiltRequestLength = sptr - tkptr->RebuiltRequestPtr;
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchDataFormatted ("!&Z", tkptr->RebuiltRequestPtr);
return (SS$_NORMAL);
#undef STRCAT
}
/****************************************************************************/
/*
Begin processing appropriate to the mode of tunneling being employed. This
includes vanilla HTTP CONNECT method processing as well as where this proxy
chains to another. Called from ProxyNetHostConnectAst() or
SesolaNetClientConnect().
*/
ProxyTunnelBegin (PROXY_TASK *tkptr)
{
char *aptr, *cptr, *sptr, *zptr;
DICT_ENTRY_STRUCT *denptr;
REQUEST_STRUCT *rqptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(tkptr), WATCH_MOD_PROXY,
"ProxyTunnelBegin() !UL", tkptr->ProxyTunnel);
rqptr = tkptr->RequestPtr;
if (!tkptr->TunnelEstablished)
{
tkptr->TunnelEstablished = true;
if (WATCHING (tkptr, WATCH_PROXY))
{
switch (tkptr->ProxyTunnel)
{
case PROXY_TUNNEL_CONNECT : cptr = "CONNECT"; break;
case PROXY_TUNNEL_HTTP : cptr = "HTTP"; break;
case PROXY_TUNNEL_HTTPS : cptr = "HTTPS"; break;
case PROXY_TUNNEL_RAW :
if (rqptr->rqHeader.UpgradeSocks5Ptr)
cptr = "RAW/SOCKS5";
else
cptr = "RAW";
break;
default : cptr = "?";
}
WatchThis (WATCHITM(tkptr), WATCH_PROXY,
"TUNNEL (!AZ) established", cptr);
}
if (rqptr->rqHeader.UpgradeSocks5Ptr)
ProxySocks5Reply (rqptr, SOCKS5_REPLY_SUCCESS);
ProxyTunnelLogicalName (tkptr);
}
if (rqptr->rqPathSet.ProxyTunnelRequestLength)
{
if (!tkptr->TunnelRequestGenerated)
{
if (WATCHING (tkptr, WATCH_PROXY))
WatchThis (WATCHITM(rqptr), WATCH_PROXY, "TUNNEL=REQUEST !AZ",
rqptr->rqPathSet.ProxyTunnelRequestPtr);
aptr = sptr =
VmGetHeap (rqptr, rqptr->rqPathSet.ProxyTunnelRequestLength+128);
for (cptr = rqptr->rqPathSet.ProxyTunnelRequestPtr;
*cptr;
*sptr++ = *cptr++);
if (!strstr (aptr, "HTTP/1."))
for (cptr = " HTTP/1.0\r\n"; *cptr; *sptr++ = *cptr++);
for (cptr = "Upgrade: WASD-tunnel; "; *cptr; *sptr++ = *cptr++);
for (cptr = SoftwareID; *cptr; *sptr++ = *cptr++);
for (cptr = "\r\n\r\n"; *cptr; *sptr++ = *cptr++);
/* AST back to this same function */
ProxyNetWrite (tkptr, &ProxyTunnelBegin, aptr, sptr-aptr);
tkptr->TunnelRequestGenerated = true;
return;
}
}
if (tkptr->ProxyTunnel == PROXY_TUNNEL_CONNECT)
{
/* CONNECT success response needs to be returned to the client */
ResponseHeader (rqptr, tkptr->ResponseStatusCode,
NULL, -1, NULL, NULL);
denptr = ResponseDictHeader (rqptr);
/* ensure this is performed as a data (not header) write */
rqptr->rqResponse.HeaderSent = true;
NetWrite (rqptr, &ProxyTunnelConnectResponseAst,
DICT_GET_VALUE(denptr), DICT_GET_VALUE_LEN(denptr));
return;
}
if (tkptr->ProxyTunnel == PROXY_TUNNEL_HTTP)
{
/* rebuild the CONNECT request */
ProxyTunnelRebuildRequest (tkptr);
/* send the request on through the tunnel */
ProxyNetWrite (tkptr, &ProxyTunnelWriteAst,
tkptr->RebuiltRequestPtr, tkptr->RebuiltRequestLength);
/* queue a read direct from the tunneled-to service */
ProxyNetRead (tkptr, &ProxyTunnelReadAst,
tkptr->ResponseBufferPtr, tkptr->ResponseBufferSize);
return;
}
if (tkptr->ProxyTunnel == PROXY_TUNNEL_HTTPS)
{
/* rebuild the CONNECT request */
ProxyTunnelRebuildRequest (tkptr);
/* send the request on through the tunnel */
NetIoWrite (tkptr->NetIoPtr, &ProxyTunnelWriteAst, tkptr,
tkptr->RebuiltRequestPtr, tkptr->RebuiltRequestLength);
/* queue a read direct from the tunneled-to service */
NetIoRead (tkptr->NetIoPtr, &ProxyTunnelReadAst, tkptr,
tkptr->ResponseBufferPtr, tkptr->ResponseBufferSize);
return;
}
if (tkptr->ProxyTunnel == PROXY_TUNNEL_RAW)
{
if (rqptr->rqHeader.Method == HTTP_METHOD_SHARE_SSH &&
!MATCH8 (rqptr->rqNet.ReadBufferPtr, "SSH-(timeout)"))
/* write the client SSH ident string to the server */
ProxyNetWrite (tkptr, &ProxyTunnelWriteAst,
rqptr->rqNet.ReadBufferPtr,
rqptr->NetIoPtr->ReadCount);
else
/* queue a read direct from the client */
NetRead (rqptr, &ProxyTunnelNetReadAst,
rqptr->rqNet.ReadBufferPtr,
rqptr->rqNet.ReadBufferSize);
/* queue a read direct from the tunneled-to service */
ProxyNetRead (tkptr, &ProxyTunnelReadAst,
tkptr->ResponseBufferPtr, tkptr->ResponseBufferSize);
return;
}
if (tkptr->ProxyTunnel == PROXY_TUNNEL_FIREWALL)
{
/* CONNECT success response needs to be returned to the client */
ResponseHeader (rqptr, tkptr->ResponseStatusCode,
NULL, -1, NULL, NULL);
denptr = ResponseDictHeader (rqptr);
/* ensure this is performed as a data (not header) write */
rqptr->rqResponse.HeaderSent = true;
NetWrite (rqptr, &ProxyTunnelConnectResponseAst,
DICT_GET_VALUE(denptr), DICT_GET_VALUE_LEN(denptr));
return;
}
ErrorExitVmsStatus (SS$_BUGCHECK, ErrorSanityCheck, FI_LI);
}
/****************************************************************************/
/*
Generate a CONNECT request header for the request host:port derived by
ProxyTunnelRequestParse() and then write this to the chained proxy server.
*/
int ProxyTunnelChainConnect (PROXY_TASK *tkptr)
{
#define STRCAT(string) \
for (cptr = string; *cptr && sptr < zptr; *sptr++ = *cptr++);
char *cptr, *sptr, *zptr;
char EncodedString [256];
REQUEST_STRUCT *rqptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(tkptr), WATCH_MOD_PROXY,
"ProxyTunnelChainConnect()");
rqptr = tkptr->RequestPtr;
tkptr->RebuiltRequestPtr = sptr = VmGetHeap (rqptr, 512);
zptr = sptr + 512;
STRCAT ("CONNECT ");
STRCAT (tkptr->RequestHostPort);
if (tkptr->RequestHttpVersion == HTTP_VERSION_1_1)
STRCAT (" HTTP/1.1")
else
STRCAT (" HTTP/1.0")
STRCAT ("\r\nUser-Agent: ");
STRCAT (SoftwareID);
STRCAT ("\r\nHost: ");
STRCAT (tkptr->ConnectHostPortPtr);
STRCAT ("\r\nX-Forwarded-For: ");
STRCAT (&rqptr->ClientPtr->IpAddressString);
STRCAT ("\r\n");
if ((cptr = rqptr->ServicePtr->ProxyChainCred)[0] ||
(cptr = rqptr->rqPathSet.ProxyChainCredPtr))
{
/* upstream (chained) proxy require authorization */
if (strsame (cptr, "basic:", 6))
{
/* format is "basic:<username>:<password>" */
cptr = BasicPrintableEncode (cptr+6, EncodedString,
sizeof(EncodedString));
if (cptr[0])
{
/* error report returned by the encode function */
rqptr->rqResponse.HttpStatus = 401;
ErrorGeneral (rqptr, cptr, FI_LI);
return (STS$K_ERROR);
}
STRCAT ("Proxy-Authorization: basic ");
STRCAT (EncodedString);
STRCAT ("\r\n")
}
else
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneral (rqptr, MsgFor(rqptr,MSG_AUTH_SCHEME), FI_LI);
return (STS$K_ERROR);
}
}
STRCAT ("\r\n");
if (sptr >= zptr)
{
rqptr->rqResponse.HttpStatus = 500;
ErrorGeneralOverflow (rqptr, FI_LI);
return (STS$K_ERROR);
}
*sptr = '\0';
tkptr->RebuiltRequestLength = sptr - tkptr->RebuiltRequestPtr;
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchDataFormatted ("!&Z", tkptr->RebuiltRequestPtr);
/* to the CONNECT request write synchonously */
ProxyNetWrite (tkptr, NULL,
tkptr->RebuiltRequestPtr, tkptr->RebuiltRequestLength);
/* queue a read for the CONNECT response */
ProxyNetRead (tkptr, &ProxyTunnelChainConnectAst,
tkptr->ResponseBufferPtr, tkptr->ResponseBufferSize);
return (SS$_NORMAL);
#undef STRCAT
}
/****************************************************************************/
/*
The chained proxy server has responded to the CONNECT request. Check for
network errors and that the response looks something like HTTP success. If it
does begin reading from each of the client and the chained proxy server.
*/
ProxyTunnelChainConnectAst (PROXY_TASK *tkptr)
{
int DataCount;
char *DataPtr;
REQUEST_STRUCT *rqptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(tkptr), WATCH_MOD_PROXY,
"ProxyTunnelChainConnectAst() !&F !&S !UL",
&ProxyTunnelChainConnectAst,
tkptr->NetIoPtr->ReadStatus,
tkptr->NetIoPtr->ReadCount);
if (VMSnok (tkptr->NetIoPtr->ReadStatus))
{
ProxyEnd (tkptr);
return;
}
DataPtr = tkptr->ResponseBufferPtr;
DataCount = tkptr->NetIoPtr->ReadCount;
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchDataDump (DataPtr, DataCount);
DataPtr[DataCount] = '\0';
if (!MATCH7 (DataPtr, "HTTP/1."))
{
ProxyEnd (tkptr);
return;
}
DataPtr += 7;
while (*DataPtr && *DataPtr != ' ') DataPtr++;
while (*DataPtr == ' ') DataPtr++;
if (!MATCH3 (DataPtr, "200"))
{
ProxyEnd (tkptr);
return;
}
rqptr = tkptr->RequestPtr;
/* it's successful if the remote host accepts it */
if (rqptr) rqptr->rqResponse.HttpStatus = 200;
/* once we start reading into the buffer the request header is kaput */
rqptr->rqHeader.RequestHeaderPtrInvalid = true;
if (tkptr->ProxyTunnel == PROXY_TUNNEL_HTTPS)
SesolaNetClientBegin (tkptr);
else
ProxyTunnelBegin (tkptr);
}
/****************************************************************************/
/*
************
*** NOTE *** This function takes a pointer to a request!!!
************
A standard CONNECT response has been sent to the client by this server.
It is necessary to provide this explicitly with a 'raw' connection.
Check status. If OK then begin to tunnel.
*/
ProxyTunnelConnectResponseAst (REQUEST_STRUCT *rqptr)
{
PROXY_TASK *tkptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(rqptr), WATCH_MOD_PROXY,
"ProxyTunnelConnectResponseAst() !&F !&S !UL",
&ProxyTunnelConnectResponseAst,
rqptr->NetIoPtr->WriteStatus,
rqptr->NetIoPtr->WriteCount);
tkptr = rqptr->ProxyTaskPtr;
if (VMSnok (rqptr->NetIoPtr->WriteStatus))
{
ProxyEnd (tkptr);
return;
}
NetRead (rqptr, &ProxyTunnelNetReadAst,
rqptr->rqNet.ReadBufferPtr,
rqptr->rqNet.ReadBufferSize);
ProxyNetRead (tkptr, &ProxyTunnelReadAst,
tkptr->ResponseBufferPtr,
tkptr->ResponseBufferSize);
}
/****************************************************************************/
/*
************
*** NOTE *** This function takes a pointer to a request!!!
************
A read from the client has completed.
Check status. If OK write it to the remote connection.
This function is also used to insert an "X-Forwarded-For: <client-ip-addr>"
header immediately following the HTTP request line, if the path is SET
"proxy=xforwardedfor=address", as in the following example
pass *:0 raw://192.168.1.15:80 notimeout proxy=xforwardedfor=address
The algorithm relies on the HTTP request line being at the front of a read
buffer and there be no pipelined requests inside buffer-fulls of tunneled data.
So each request must have a distinct beginning and end in the network reads
and writes, which is (mostly and generally) the case.
*/
ProxyTunnelNetReadAst (REQUEST_STRUCT *rqptr)
{
int bcnt, xflen, rlen;
char ch;
char *bptr, *cptr, *czptr, *xfptr;
PROXY_TASK *tkptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(rqptr), WATCH_MOD_PROXY,
"ProxyTunnelNetReadAst() !&F !&S !UL",
&ProxyTunnelNetReadAst,
rqptr->NetIoPtr->ReadStatus,
rqptr->NetIoPtr->ReadCount);
tkptr = rqptr->ProxyTaskPtr;
if (VMSnok (rqptr->NetIoPtr->ReadStatus))
{
ProxyNetCloseSocket (tkptr);
ProxyEnd (tkptr);
return;
}
rqptr->BytesRx64 += rqptr->NetIoPtr->ReadCount;
bptr = rqptr->rqNet.ReadBufferPtr;
bcnt = rqptr->NetIoPtr->ReadCount;
if ((rqptr->rqPathSet.ProxyXForwardedFor == PROXY_XFORWARDEDFOR_ADDRESS) &&
(xfptr = rqptr->rqHeader.XForwardedForPtr))
{
rlen = 0;
for (czptr = (cptr = bptr) + bcnt;
cptr < czptr && !MATCH2(cptr,"\r\n") && *cptr != '\n';
cptr++)
{
if (MATCH7 (cptr, "HTTP/1."))
{
cptr += 7;
if (!(MATCH2 (cptr, "1\n") || MATCH3 (cptr, "1\r\n") ||
MATCH2 (cptr, "0\n") || MATCH3 (cptr, "0\r\n")))
continue;
/* found end-of-line that looks suspiciously like an HTTP request */
cptr++;
if (*cptr == '\r') cptr++;
if (*cptr == '\n') cptr++;
/* length of request line */
rlen = cptr - bptr;
break;
}
}
if (rlen)
{
/* found what looks like an HTTP request line */
xflen = strlen(xfptr) + sizeof("X-Forwarded-For: %s\r\n")-3;
if (bcnt + xflen > rqptr->NetIoPtr->ReadSize)
{
/* won't fit into the original buffer */
bptr = VmGetHeap (rqptr, bcnt + xflen);
memcpy (bptr, rqptr->rqNet.ReadBufferPtr, bcnt);
}
/* move to allow insertion of the forwarded line */
memmove (bptr + rlen + xflen, bptr + rlen, bcnt - rlen);
/* insert the forwarded line reversing the trailing null overwrite */
ch = *(bptr + rlen + xflen);
sprintf (bptr + rlen, "X-Forwarded-For: %s\r\n", xfptr);
*(bptr + rlen + xflen) = ch;
/* length of the buffer is the original plus length of forwarded */
bcnt += xflen;
}
}
ProxyNetWrite (tkptr, &ProxyTunnelWriteAst, bptr, bcnt);
}
/****************************************************************************/
/*
************
*** NOTE *** This function takes a pointer to a request!!!
************
A write to the client has completed.
Check status. If OK read more from the remote connection.
*/
ProxyTunnelNetWriteAst (REQUEST_STRUCT *rqptr)
{
PROXY_TASK *tkptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (rqptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(rqptr), WATCH_MOD_PROXY,
"ProxyTunnelNetWriteAst() !&F !&S !UL",
&ProxyTunnelNetWriteAst,
rqptr->NetIoPtr->WriteStatus,
rqptr->NetIoPtr->WriteCount);
tkptr = rqptr->ProxyTaskPtr;
if (VMSnok (rqptr->NetIoPtr->WriteStatus))
{
ProxyEnd (tkptr);
return;
}
ProxyNetRead (tkptr, &ProxyTunnelReadAst,
tkptr->ResponseBufferPtr,
tkptr->ResponseBufferSize);
}
/****************************************************************************/
/*
AST completion of read from remote connection.
Check status. If OK write it to the client connection.
*/
ProxyTunnelReadAst (PROXY_TASK *tkptr)
{
int DataCount;
char *cptr, *zptr,
*DataPtr;
REQUEST_STRUCT *rqptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(tkptr), WATCH_MOD_PROXY,
"ProxyTunnelReadAst() !&F !&S !UL",
&ProxyTunnelReadAst,
tkptr->NetIoPtr->ReadStatus,
tkptr->NetIoPtr->ReadCount);
rqptr = tkptr->RequestPtr;
if (VMSnok (tkptr->NetIoPtr->ReadStatus))
{
ProxyEnd (tkptr);
return;
}
DataPtr = tkptr->ResponseBufferPtr;
DataCount = tkptr->NetIoPtr->ReadCount;
if ((tkptr->ProxyTunnel == PROXY_TUNNEL_CONNECT ||
/***
tkptr->ProxyTunnel == PROXY_TUNNEL_HTTP ||
tkptr->ProxyTunnel == PROXY_TUNNEL_HTTPS) &&
***/
tkptr->ProxyTunnel == PROXY_TUNNEL_HTTP) &&
(rqptr->ServicePtr->ProxyTunnel == PROXY_TUNNEL_FIREWALL ||
rqptr->ServicePtr->ProxyTunnel == PROXY_TUNNEL_RAW))
{
/* need to absorb any CONNECT response header */
if (tkptr->ResponseConsecutiveNewLineCount < 2)
{
zptr = (cptr = DataPtr) + DataCount;
while (cptr < zptr)
{
if (*cptr == '\n')
tkptr->ResponseConsecutiveNewLineCount++;
else
if (*cptr != '\r')
tkptr->ResponseConsecutiveNewLineCount = 0;
cptr++;
if (tkptr->ResponseConsecutiveNewLineCount >= 2) break;
}
DataCount -= cptr - DataPtr;
DataPtr = cptr;
if (!DataCount)
{
/* fudge these and directly deliver the AST */
NetIoWriteStatus (rqptr->NetIoPtr, ProxyTunnelNetWriteAst, rqptr,
SS$_NORMAL, 0);
return;
}
}
}
rqptr->BytesTx64 += DataCount;
NetWrite (rqptr, &ProxyTunnelNetWriteAst, DataPtr, DataCount);
}
/****************************************************************************/
/*
A write to the remote connection has completed.
Check status. If OK read more from the client connection.
*/
ProxyTunnelWriteAst (PROXY_TASK *tkptr)
{
REQUEST_STRUCT *rqptr;
/*********/
/* begin */
/*********/
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(tkptr), WATCH_MOD_PROXY,
"ProxyTunnelWriteAst() !&F !&S !UL",
&ProxyTunnelWriteAst,
tkptr->NetIoPtr->WriteStatus,
tkptr->NetIoPtr->WriteCount);
rqptr = tkptr->RequestPtr;
if (VMSnok (tkptr->NetIoPtr->WriteStatus))
{
ProxyEnd (tkptr);
return;
}
NetRead (rqptr, &ProxyTunnelNetReadAst,
rqptr->rqNet.ReadBufferPtr,
rqptr->rqNet.ReadBufferSize);
}
/****************************************************************************/
/*
Multiple value logical name WASD_TUNNEL where the zeroeth element contains
internal run-time data for use by WASD and elements 1 through 127 contain the
tunnel data.
The path must be SET .. PROXY=FORWARDED=FOR or SET .. PROXY=FORWARDED=ADDRESS
for the logical name to be created. "=FOR" uses the resolved client host name
(if enabled) and "=ADDRESS" always the client IP address.
Tunnel data value format:
<internal-host:port>=<external-host:port>=<client-host:port>
"localhost:54321=external.host.net:2222=client.host.net:23456"
Where 'localhost:54321' is the internal host name and port,
'external.host.net:2222' the external service the client connected to, and
'client.host.net:23456' the client's host and port.
By default the logical name will be deleted if a minute or more has passed
since last updated. This can be increased by defining the logical name
WASD_TUNNEL_SECONDS to an integer value of seconds. The deletion can be
disabled completely by defining it to zero or some non-digit.
ProxyTunnelLogicalName(NULL) is called by ProxyMaintSupervisor() every minute.
The INSTANCE_MUTEX_HTTPD is used to coordinate potential multiple instances.
Example DCL code to extract the client "<host>:<port>" using the <port>
provided by TT_ACCPORNAM. If it is not found logical name TT_CLIENT does not
exist. Adapt to suit local requirements.
$ if P1 .eqs. "" then P1 = f$element(1,":",f$getdvi("TT:","TT_ACCPORNAM"))
$ value = ""
$ local = ""
$ service = ""
$ client = ""
$ index = 1
$ index_loop:
$ value = f$trnlnm("WASD_TUNNEL","WASD_TABLE",index)
$ if value .eqs. ""
$ then
$ wait 00:00:01
$ value = f$trnlnm("WASD_TUNNEL","WASD_TABLE",index)
$ endif
$ if value .eqs. "" then goto end_index_loop
$ local = f$element(0,"=",value)
$ addr = f$element(0,":",local)
$ port = f$element(1,":",local)
$ if port .eqs. P1
$ then
$ service = f$element(1,"=",value)
$ client = f$element(2,"=",value)
$ goto end_index_loop
$ endif
$ index = index + 1
$ goto index_loop
$ end_index_loop:
$ if f$trnlnm("TT_CLIENT","LNM$PROCESS") .nes. "" -
then deassign /process TT_CLIENT
$ if client .nes. "" then define /process TT_CLIENT "''client'"
*/
ProxyTunnelLogicalName (PROXY_TASK *tkptr)
{
static int LnmCount,
TunnelSeconds;
static char LogicalName[] = "WASD_TUNNEL";
static $DESCRIPTOR (LogNameDsc, LogicalName);
static $DESCRIPTOR (WasdTableDsc, "WASD_TABLE");
static $DESCRIPTOR (NumberFaoDsc, "!UL");
static $DESCRIPTOR (StampFaoDsc, "!UL !%D !UL");
static uchar ExecMode = 1; /* PSL$C_EXEC */
static VMS_ITEM_LIST3 LnmItems [] =
{
{ sizeof(LnmCount), LNM$_INDEX, &LnmCount, 0 },
{ 255, LNM$_STRING, 0, 0 },
{ 0,0,0,0 }
};
int idx, port, status,
TickSecond;
short slen;
short LogValueLength [128];
char *cptr, *clptr, *sptr, *zptr;
char LocalHostPort [255+1],
LogValue [128][255+1],
PortString [32];
REQUEST_STRUCT *rqptr;
$DESCRIPTOR (PortStringDsc, PortString);
$DESCRIPTOR (StampDsc, LogValue[0]);
VMS_ITEM_LIST3 CreLnmItems [128+1];
/*********/
/* begin */
/*********/
if (WATCHMOD (tkptr, WATCH_MOD_PROXY))
WatchThis (WATCHITM(tkptr), WATCH_MOD_PROXY, "ProxyTunnelLogicalName()");
if (!tkptr)
{
/************/
/* maintain */
/************/
InstanceMutexLock (INSTANCE_MUTEX_HTTPD);
/* zeroeth element contains the time stamp */
LnmCount = 0;
LnmItems[1].buf_addr = &LogValue[LnmCount];
LnmItems[1].ret_len = &LogValueLength[LnmCount];
status = sys$trnlnm (0, &WasdTableDsc, &LogNameDsc, 0, &LnmItems);
if (VMSnok (status))
{
/* logical name does not exist or error */
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
return;
}
LogValue[LnmCount][LogValueLength[LnmCount]] = '\0';
TickSecond = atoi(LogValue[LnmCount]);
TunnelSeconds = 60;
if (cptr = SysTrnLnm(WASD_TUNNEL_SECONDS))
{
TunnelSeconds = atoi(cptr);
if (TunnelSeconds <= 0)
{
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
return;
}
if (TunnelSeconds < 60) TunnelSeconds = 60;
}
/* allow the name to exist for at least this number of seconds */
if (HttpdTickSecond - TickSecond < TunnelSeconds)
{
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
return;
}
if (WATCH_CAT && WATCH_CATEGORY(WATCH_PROXY))
WatchThis (WATCHALL, WATCH_PROXY, "WASD_TUNNEL delete");
if (VMSnok (status = sys$setprv (1, &SysPrvMask, 0, 0)))
ErrorExitVmsStatus (status, "sys$setprv()", FI_LI);
status = sys$dellnm (&WasdTableDsc, &LogNameDsc, &ExecMode);
if (VMSnok (status) && status != SS$_NOLOGNAM)
ErrorNoticed (NULL, status, LogicalName, FI_LI);
if (VMSnok (status = sys$setprv (0, &SysPrvMask, 0, 0)))
ErrorExitVmsStatus (status, "sys$setprv()", FI_LI);
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
return;
}
/**************/
/* new tunnel */
/**************/
rqptr = tkptr->RequestPtr;
if (rqptr->rqPathSet.ProxyForwardedBy != PROXY_FORWARDED_FOR &&
rqptr->rqPathSet.ProxyForwardedBy != PROXY_FORWARDED_ADDRESS) return;
if (rqptr->rqPathSet.ProxyForwardedBy == PROXY_FORWARDED_FOR)
clptr = rqptr->ClientPtr->Lookup.HostName;
else
if (rqptr->rqPathSet.ProxyForwardedBy == PROXY_FORWARDED_ADDRESS)
clptr = rqptr->ClientPtr->IpAddressString;
else
clptr = "SS$_BUGCHECK";
/* get the originating port for the local connection */
port = ProxyNetLocalPort (tkptr);
InstanceMutexLock (INSTANCE_MUTEX_HTTPD);
/***********************/
/* get current content */
/***********************/
/* get the current content(s) of the logical name */
for (LnmCount = 1; LnmCount <= 127; LnmCount++)
{
LnmItems[1].buf_addr = &LogValue[LnmCount];
LnmItems[1].ret_len = &LogValueLength[LnmCount];
status = sys$trnlnm (0, &WasdTableDsc, &LogNameDsc, 0, &LnmItems);
if (VMSok (status))
{
if (!LogValueLength[LnmCount]) break;
LogValue[LnmCount][LogValueLength[LnmCount]] = '\0';
}
else
{
if (status == SS$_NOLOGNAM) break;
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
ErrorNoticed (rqptr, status, LogicalName, FI_LI);
return;
}
}
if (!(LnmCount == 1 && status == SS$_NOLOGNAM))
{
/******************/
/* delete current */
/******************/
/*
After a couple of dynamic page pool exhaustions Jeremy Begg using
SDA> show pool/paged/summary
SDA> show pool/page/type=lnm
suggested perhaps leakage associated with multi-value logical name
(re)creation. This deletion is an attempt to test/workaround that.
*/
if (VMSnok (status = sys$setprv (1, &SysPrvMask, 0, 0)))
ErrorExitVmsStatus (status, "sys$setprv()", FI_LI);
status = sys$dellnm (&WasdTableDsc, &LogNameDsc, &ExecMode);
if (VMSnok (status) && status != SS$_NOLOGNAM)
ErrorNoticed (NULL, status, LogicalName, FI_LI);
if (VMSnok (status = sys$setprv (0, &SysPrvMask, 0, 0)))
ErrorExitVmsStatus (status, "sys$setprv()", FI_LI);
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
}
/******************/
/* no duplicates! */
/******************/
zptr = (sptr = LocalHostPort) + sizeof(LocalHostPort)-1;
for (cptr = tkptr->RequestHostName; *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = ':';
sys$fao (&NumberFaoDsc, &slen, &PortStringDsc, port);
for (cptr = PortString; slen-- && sptr < zptr; *sptr++ = *cptr++);
*sptr = '\0';
for (idx = 1; idx < LnmCount; idx++)
{
/* compare logical name local host:port with the tunnel host:port */
for (cptr = LogValue[idx]; *cptr && *cptr != '='; cptr++);
if (!*cptr) continue;
*cptr = '\0';
if (strsame (LogValue[idx], LocalHostPort, -1))
{
*cptr = '=';
break;
}
*cptr = '=';
}
/***********************/
/* create/update entry */
/***********************/
/* rollover at index 127 */
if (idx >= 127)
idx = 1;
else
if (idx >= LnmCount)
LnmCount++;
zptr = (sptr = &LogValue[idx]) + 255;
for (cptr = LocalHostPort; *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = '=';
for (cptr = rqptr->ServicePtr->ServerHostPort;
*cptr && sptr < zptr;
*sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = '=';
for (cptr = clptr; *cptr && sptr < zptr; *sptr++ = *cptr++);
if (sptr < zptr) *sptr++ = ':';
sys$fao (&NumberFaoDsc, &slen, &PortStringDsc, rqptr->ClientPtr->IpPort);
for (cptr = PortString; slen-- && sptr < zptr; *sptr++ = *cptr++);
*sptr = '\0';
LogValueLength[idx] = sptr - (char*)&LogValue[idx];
if (sptr >= zptr)
{
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
ErrorNoticed (rqptr, SS$_RESULTOVF, LogValue, FI_LI);
return;
}
if (WATCHING (tkptr, WATCH_PROXY))
WatchThis (WATCHITM(tkptr), WATCH_PROXY, "WASD_TUNNEL !UL !AZ",
LnmCount, LogValue[idx]);
/***********************/
/* update logical name */
/***********************/
/* time stamp of last update into the zeroeth element */
StampDsc.dsc$a_pointer = LogValue[0];
StampDsc.dsc$w_length = sizeof(LogValue[0]);
sys$fao (&StampFaoDsc, &slen, &StampDsc,
HttpdTickSecond, 0, LnmCount-1);
LogValueLength[0] = slen;
CreLnmItems[0].buf_len = LogValueLength[0];
CreLnmItems[0].item = LNM$_STRING;
CreLnmItems[0].buf_addr = &LogValue[0];
CreLnmItems[0].ret_len = 0;
for (idx = 1; idx < LnmCount; idx++)
{
CreLnmItems[idx].buf_len = LogValueLength[idx];
CreLnmItems[idx].item = LNM$_STRING;
CreLnmItems[idx].buf_addr = &LogValue[idx];
CreLnmItems[idx].ret_len = 0;
}
/* terminate item list */
CreLnmItems[idx].buf_len = 0;
CreLnmItems[idx].item = 0;
CreLnmItems[idx].buf_addr = 0;
CreLnmItems[idx].ret_len = 0;
if (VMSnok (status = sys$setprv (1, &SysPrvMask, 0, 0)))
ErrorExitVmsStatus (status, "sys$setprv()", FI_LI);
status = sys$crelnm (0, &WasdTableDsc, &LogNameDsc, &ExecMode, &CreLnmItems);
if (VMSnok (status)) ErrorNoticed (rqptr, status, LogicalName, FI_LI);
if (VMSnok (status = sys$setprv (0, &SysPrvMask, 0, 0)))
ErrorExitVmsStatus (status, "sys$setprv()", FI_LI);
InstanceMutexUnLock (INSTANCE_MUTEX_HTTPD);
}
/****************************************************************************/